Version 0.5.5 ============= BUGS FIXED * Fix compile bug on OpenBSD/SPARC * Create indexes safely and atomically * Fix debian packaging bugs * Fix "severe insanity" warnings * Fix TCP state serialization / deserialization bug * Hundreds of minor bug fixes all over the map * Fix depth/nocase/offset if they dont occur right after 'content' * Fix bug in alert spooling when packet is bigger than max log size * Perform correct endian conversions for linux SLL and NULL protocols NEW FEATURES * Totally new plugin loader * New libfirestorm.so, contains firestorm core API * Lots of API and code cleanups, striped about 2K LOC * IDX on-disk structures changed to accomodate new types * Firestat shows what types of objects plugins have * Indexing and querying of string types * Improve packet matching performance by around 25% * Set realtime process priority * Allow setting of UID/GID by name * Make everything large-file aware * HTTP URI Normalization engine * NULL/LOOPBACK protocol support * Basic filtering support in GNOME Firestorm Console * Use GtkFileChooser in GNOME Firestorm Console * Add a packet sniffing utility Version 0.5.4 ============= BUGS FIXED * Fixed crash bug with IPX matching code * Fixed crash bug in fagrouter * Fixed crash bug in TCP options parsing * Fixed elog backwards compatibility issues * Root directory is now /var/lib/firestorm not /var/firestorm * Improvements to TCP stream reassembly memory usage * Fixed crash bugs in argument parsing * Fixed crash bug in GNOME firestorm console NEW FEATURES * Firecat can index log files for fast querying * Firecat can query elog files (fast like a database) * Firecat can concatenate many elog files in to one * RPM spec improved to provide firestorm-gnome packages * Add index viewer mode to firecat Version 0.5.3 ============= BUGS FIXED * Fix bug in IPX decoder which could cause tcpdump converter to fail * Many portability fixes, should fully build on FreeBSD now * Fix prelude plugin bitrot * Fixed longstanding bugs in dsize matcher * Snort compatible 'offset' modifier * Fix bug in log plugin displaying IP addresses in ipfrag alerts * Fix crash bug in ipfrag (when reassembly times out) * Don't alert on retransmit of SYN packets NEW FEATURES * Balance alerts between alert spools * Setwise string matching (MASSIVE performance increase) * Rule ordering is preserved * Basic GUI for reading elogs * Increased disk performance for logging and disk capture * Patch for ethereal to read elogs * Intelligent TCP stream reassembly * Greatly improved HTTP decode facility * IPX snort rule support Version 0.5.2 ============= BUGS FIXED * UDP packets weren't being matched at all since 0.5.1 * TCP state was fucked up in elog files * Fixed various bugs in TCP state tracking logic * 802.3-novell frames weren't being decoded properly * Fixed a lot of potential bugs in matchers * Fixed bug in linux capture where HUPing caused infinite loop NEW FEATURES * Alerts on suspicious TCP state violations * Restored vim syntax file * Can now specify log directory * Released first cut of firestorm user manual * TCP SYN timeouts * Buffered I/O for alerts, utilise full disk bandwidth Version 0.5.1 ============= BUGS FIXED * Fix bugs in http decode * Fixed ipfrag alerts * Fixed log target to work for all IP packets NEW FEATURES * Back to a single, simple config file * Session data saved in alert log files * Built-in alerts are now appropriately rate-limited * Made firecat more user friendly Version 0.5.0 ============= BUGS FIXED * Fix IP address matching on big-endian machines * Handle ip_proto and ttl correctly for less-than/greater-than * IP address lists work properly with negation * Fix silly bugs in ipfrag which crept in with the last release * Fix content match for IP packets with no encapsulated headers * Fix some other minor bugs in content matching * Fixed improper state tracking of half closed TCP connections * Fixed lots of potential decoding bugs all over the map NEW FEATURES * Now differenciates 802.3 from Ethernet II * Support for LLC, SNAP and 802.3 IPX frames * tcpdump capdev module can handle byte-swapped files * New faster and simpler packet classifier * If a packet matches two signatures an alert is generated on the most specific * RPC matcher finally implemented * Fully support alert priorities and classifications * tcpstream supports window scaling and PAWS * Support for ratelimiting alerts (per-alert, burstable) Version 0.4.6 ============= BUGS FIXED * Fix trivial memory leak in signature loading * Don't clobber existing logfiles in dump output module * Fix (very rare) infinite loop condition in string matcher * Fixed bug in snort rule parsing NEW FEATURES * Brand new TCP state tracking code, much more accurate and efficient * Decode IGMP and IrDA packets * New simplified log output plugin, one line per alert * New extended log output plugin (native firestorm format) * First stab at implementing uricontent properly * Implement dns_recursive matcher (triggers on recursive dns queries) * Implement dns_iterative matcher (triggers on iterative dns queries) * Real sid/rev support in snort signatures * Match on HTTP methods in HTTP requests * Bundle snort rules with the default distribution * Updated RPM to be easier to configure * Actually implement the SIGHUP handler for log rotation * Calculate checksums on TCP segments Version 0.4.5 ============= BUGS FIXED * Fix permissions of ascii logfile (john at johnleach dot co dot uk) * Fixed bug where 'depth' modifier for string match didn't work * Fixed compile bug if using Linux without mmap packet socket() NEW FEATURES * Support IP address lists in snort rulesets * Impelement 'flow' keyword * Firestorm can now act as a prelude NIDS sensor (http://www.prelude-nids.org/) * Snort 'regex' modifier now fully supported * More options available for output modules * More options available for capture modules Version 0.4.4 ============= BUGS FIXED * pcapfile would loop forever at the end of the file * snort parser failed if you used a variable for a port * IP fragments not containing headers would be matched * SLL decode reported pkttype incorrectly * Esacped characters from snort files were ignored in content strings NEW FEATURES * Match IP fragmet offsets ('fragoffset') * TCP connection tracking / stateful inspection * Implement the 'stateless' keyword * IP fragmentation module now performs even better when under DoS attack * IP fragmentation module now supports timeouts * Snort variables can now be negated (var EXTERNAL_NET !$HOME_NET). Version 0.4.3 ============= BUGS FIXED * potential insertion attack in IP decode * potential crash in ipopts decode * ipfrag queued truncated packets * ipfrag could match reassembled packets twice with 'linux' capture * ipfrag could crash with live captures * ipfrag didn't account memory for fragment payloads * RPM would overwrite firestorm.conf NEW FEATURES * 802.1q (vlan) decode plugin * 'ascii' output module can log to a seperate file * 'linux' capdev allows you to specify an interface (or 'any') * 'linux' capdev detects MTUs when you specify an interface * Can log alerts as tcpdump files ('dump' plugin) * ipfrag can ignore packets with ttls that are too low (minttl option) * Choose different output formats depending on type of alert Version 0.4.2 ============= BUGS FIXED * reassembled fragments were incorrectly decoded * reassembled fragments didn't have checksums * Hi/Lo watermark values in ipfrag were faulty * Fragments inside other fragments would be tracked * Ignore IP fragments with bad checksums * Fix crash bug in IP matching code * Fix decode bug for TCP * Fix decode bug for IP * Make sure content and dsize matchers match data not headers NEW FEATURES * Case insensitive string matching * Select output/alert plugins from config file * IP fragmentation configuration is tunable * Linux SLL protocol (for pcap:any) * Allow plugins to be 'required' * Catch SIGHUP to rotate logs * Add --with-libpcap-includes to configure * Add --with-libpcap-libraries to configure * ipfrag detects fragmentation attacks * IP decoder detects tcpdump exploits * Some optimisations here and there Version 0.4.1 ============= BUGS FIXED * tcpdump capture would pause a while before starting big files * ip address and port negation false negatives * negation was broken on bi-directional snort rules * fix bad decode (tcp/udp/icmp) where the application layer wasn't added * IP ID matcher wasn't implemented * Binary builds linked to stupid libraries NEW FEATURES * depth/offset support for 'content' keyword * IP options matcher (ipopts) * Match ICMP packets * ICMP ID and ICMP sequence matchers (icmp_id, icmp_seq) * 'require' keyword in config file --- OLD CHANGELOGS Version 0.4.0 - Rewrote from scratch. - New, much more flexible, more efficient decoder - New, much more flexible plugin system - Capture plugins get more control - New packet structure - Support for preprocessors - IP defragmentation preprocessor - OS specific capture device for Linux (v. fast) - Signal handler works properly - Seperate packet matching for seperate protocols - firestat: Displays details of firestorm plugins - Faster, nicer snort parser - Implement 'sameip' - Implement snort variables as the 'var' keyword Version 0.3.1 (the version that never was) - Removed malloc/free/strdup cruft - Stricter with plugin loading - Removed loads of stuff from g_globals.h - Added support for (flags: 0;) - Moved PC in to classifier.c - Cosmetic fiddling Version 0.3.0 - gcc3 compile fix. (sean_boyle at mentorg dot org) - Got rid of ugly old btree stuff - Inlined demultiplexing and a few other bits and bobs - Added libpcap_pfile capture engine which uses libpcap - Removed redundant list_prepend function - Got rid of generic list stuff for cleanup, capdevs, matchers - Removed time() syscalls from all over the place - Converted libpcap_file to use mmap() - MUCH faster! - Removed ALL threading and locking, multiple captures broken - Removed dependency on pthreads - Removed static sized buffer from packet_t, now a pointer - Improved build process for plugins and documentation - Stopped memseting packet buffers - Lots of portability fixes - Sane exit codes - Removed signal handlers - Fix crash bug in ICMP reporting in alert target - Removed stormwall/report stuff - Removed leak checker - Use snort style packet classifier, much faster Version 0.2.2 - Command line options for stormwall - Report target can be configured using config globals - Experimental XML output plugin - Made sniffer fallback more robust with $DEFAULT_TARGET variable - Added more error messages - Fixed snort_flip_rule(), no barfing over perfectly good snort rules - Snort rule parsing fixes and tidyups - Snort(1.8) fix. Numerical IP_PROTO now accepted - Snort(1.8) fix. Extraneous new fields ignored instead of barfed on. - Snort(any) fix. Protocol is omitted if its "ip" - Fixed potential stack buffer overflow in config file parser - Fixed memory leak in string matcher (added more error messages too) - Fixed heap corruption in snort ruleset handling, removed a hack too... - EXPERIMENTAL rule compiler (FAST) [see bottom of includes/g_globals.h] Version 0.2.1 - Simple template bugfix - Added ZLIB compression of network data - Started firestorm daemon, provides only debug output - Started report plugin, sends packets out on UDP (EXPERIMENTAL) - Fixed so that logfiles are opened O_TRUNC - Removed top layer hack for matchers, which are now just dumb - Sniffer fallback mode, if no rules, all packets get sent to alert - Fixed GRE handler and added alert support for it. Version 0.2.0 (Vegas) - Packet decode engine re-desgined, now supports encapsulation - Final few issues in snort parser resolved - Log target (logs to tcpdump files) - Alert target supports Ethernet II and ICMP - Netlink capture bugfix, reports link proto correct - Documented firestorm config in SGML docs - GRE encapsulation support - Firestorm daemonizes and prints output to a file (specified on cmd line) - Alert dumps to its own file - plugin_require now works - ICMP plugin demultiplexes original packet - Fixed heap corruption bug in snort parser Version 0.1.6 - libpcap_file understands RedHat "Extended" capfiles - Linux firewall netlink capture. - Optional internal leak checker. - Fixed a memory leak in ip matcher! - Some better macros for plugin hackers. - Uncommented locking code in print functions (oops) - Changed lots of print_out()s to print_raw()s (more efficient) - Removed stupid fsync() in print_???, less syscalls, more efficient - Tidied up code by wrapping it all before 80 chars - Installer and RPM spec file - Alert target yet more verbose, prints time etc.. Version 0.1.5 - String match bugfix - TCP flags bugfix - Keep better track of internal resources - VIM syntax file for config files included - Targets get access to rule - Matchers need not have match functions (ie: they are metadata) - Added some better cleanup templates - Aggregated tcp/ip headers to improve cross platform support - Added TCP flags display to alert target - Fixed chroot/drop privs to warn if not superuser - Added IP TOS matcher, like snorts, not very user friendly - IP fragbits matcher Version 0.1.4 - Plugin dirs, capture devices, etc.. can all be configureed from config file - Can now drop root privileges (not tested) - Sensor can run chrooted (not tested) - Libpcap live capture plugin - Plugin configuration via global variables - Snort parser bug fix - Snort parser understands variables - Snort strings allow embedding binary data Version 0.1.3 - Lots of compile fixes, FreeBSD, and SunOS/Solaris now supported - Removed dependency on libpcap - configure has --with-libpcap-includes option - TCP flags, urgent pointer, window size, seq and ack matchers - DSIZE matcher, matches total packet data size - Favour BSD style tcphdr struct - Targets can let packets continue - ICMP SEQ/ID matchers - IP ID match bug fix - Alert slightly more verbose Version 0.1.2 - Allow negation of rule criteria - Snort rules support negation - Added string (content) match, with depth and offset - Warn better in the case of syntax err in snort ruleset - Support for bi-directional snort rules - Strip quote marks off of strings in snort rule values - TTL match - IP ID match - Attempt to better the documentation